I think I disagree.  I assume an SD-JWT in a VP could be volunteered by a 
Holder initiating a transaction.  i.e., the relying party Verifier didn’t 
request the VP.

The example I would give is an enterprise making a phone call and using SIP 
INVITE method Identity header to carry an SD-JWT VP.

In the US, the TRACED Act law and several FCC mandates require voice calls in 
the Public Switched Telephone Network (PSTN) to be authenticated using 
information contained in a JWT.

The basic type of JWT required is defined in RFC 8225 “PASSporT: Personal 
Assertion Token” and is carried in the SIP INVITE method Identity header.

There is also an I-D in the IETF STIR working group which proposes use of an 
SD-JWT: Verified STI Persona (aka VESPER).

I assume the VP could be encoded by value in the SIP Identity JWT or could be 
passed via a DID document reference (in theory).

Pierce



CONFIDENTIAL
From: Tom Jones <thomasclinganjo...@gmail.com>
Sent: Monday, December 16, 2024 12:50 PM
To: Watson Ladd <watsonbl...@gmail.com>
Cc: IETF oauth WG <oauth@ietf.org>
Subject: [OAUTH-WG] Re: SD-JWT linkability

You don't often get email from 
thomasclinganjo...@gmail.com<mailto:thomasclinganjo...@gmail.com>. Learn why 
this is important<https://aka.ms/LearnAboutSenderIdentification>


EXTERNAL EMAIL
The entire premise of SD-JWT in a VP transaction is basically fraudulent as 
there is not sufficient information in the VP to allow the user to make an 
informed consent decision. It gives the illusion of user control without the 
ability to deliver on the promise. For this proposal to have any value to the 
user it must be part of a transaction that tells the user agent (wallet) who is 
asking for the data and what the purpose of the request is. Absent that, this 
give the impression of user control of release of data without the fact.

BTW - the idea of dealing with the UX of the transaction is admirable, but 
there are no UX people involved in the discussion.

Peace ..tom jones


On Wed, Dec 11, 2024 at 5:01 PM Watson Ladd 
<watsonbl...@gmail.com<mailto:watsonbl...@gmail.com>> wrote:
Dear all,

I'd like to propose the following edit to resolve the concerns I have
around endorsing dangerous applications of SD-JWT:

Delete last two lines of
https://github.com/oauth-wg/oauth-selective-disclosure-jwt/pull/451/files
in 1338 and 1339

Add new paragraph right before the end of the section.

"When disclosures include information easily understood to be
identifying, users intuitive view of what they are revealing largely
matches the underlying technical reality. In cases where the
information being disclosed is not identifying, SD-JWT
MUST NOT be used as this confusion leads to users making the wrong
choices. Applications cannot assume Verifiers behave properly (RFC
3514) and MUST analyze the consequences for such linkage with each
credential that could be used."

I think this agrees with many of the comments made about my initially
stronger edit, while addressing the core danger.

Also, it seems this section only really treats issuer/verifier despite
promising more. Do we need to rework it?

Sincerely,
Watson Ladd
--
Astra mortemque praestare gradatim

_______________________________________________
OAuth mailing list -- oauth@ietf.org<mailto:oauth@ietf.org>
To unsubscribe send an email to 
oauth-le...@ietf.org<mailto:oauth-le...@ietf.org>
_______________________________________________
OAuth mailing list -- oauth@ietf.org
To unsubscribe send an email to oauth-le...@ietf.org

Reply via email to